Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Concerns with serde_yml #2212

Open
evilpie opened this issue Jan 27, 2025 · 3 comments
Open

Concerns with serde_yml #2212

evilpie opened this issue Jan 27, 2025 · 3 comments

Comments

@evilpie
Copy link

evilpie commented Jan 27, 2025

@dtolnay raised issues with serde_yaml on twitter/X: https://x.com/davidtolnay/status/1883906113428676938.
@evilpie evilpie changed the title Concerns with serde_yaml Concerns with serde_yml Jan 27, 2025
@evilpie evilpie mentioned this issue Jan 27, 2025
Open
@cafkafk
Copy link

cafkafk commented Jan 27, 2025

Seems this is specifically the serde_yml crate https://github.com/sebastienrousseau/serde_yml, which yea... but I'm not sure this is an actual vulnerability as much as it's just the admittedly frustrating tendency for some projects not to do very thorough vetting of their dependencies.

@SkiFire13
Copy link

I don't know what can be done about the debatable management of the crate, but at least the emitter issue is objectively a soundness issue and can be reported, no?

@tarcieri tarcieri mentioned this issue Jan 28, 2025
Open
@tarcieri
Copy link
Member

Yes, you can file an informational = "unsound" advisory for it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tarcieri @evilpie @SkiFire13 @cafkafk